ASA-2019-00549 – Exim: Heap-based buffer overflow in string_vformat

There is a heap-based buffer overflow in string_vformat (string.c). The currently known exploit uses a extraordinary long EHLO string to crash the Exim process that is receiving the message. While at this mode of operation Exim already dropped its privileges, other paths to reach the vulnerable code may exist.

ASA-2019-00534 – Exim: Buffer overflow by sending a SNI ending in a backslash-null sequence during the initial TLS handshake

The SMTP Delivery process in all versions up to and  including Exim 4.92.1 has a Buffer Overflow. In the default runtime configuration, this is exploitable with crafted Server Name Indication (SNI) data during a TLS negotiation. In other configurations, it is exploitable with a crafted client TLS certificate. A local or remote attacker can execute programs with root privileges. The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake.

ASA-2019-00466 – Exim: Remote code execution with root privileges in unusual configuration

A local or remote attacker can execute programs with root privileges - if you've an unusual configuration. If your configuration uses the ${sort } expansion for items that can be controlled by an attacker (e.g. $local_part, $domain). The default config, as shipped by the Exim developers, does not contain ${sort }. The vulnerability is exploitable either remotely or locally and could be used to execute other programs with root privilege. The ${sort } expansion re-evaluates its items.